I'm no expert in this, but AFAIK it's not JavaScript itself that is - or was - considered 'evil', but its little nephew from Redmond: JScript, and his neighbor VBScript. Together with older versions of IE and ActiveX components, they could do some harm. MS therefore raised the default security settings in IE and introduced separate 'zones', so now there is less to worry about.

A lot of people also confuse JavaScript with Java. I don't know how many times I hear of a JavaScript vunerability that is really Java. As RonPK said, IE did have some problems a while back, but those have been patched, and jscript and vbscript have been givin a smaller sandbox. Not using JavaScript on your site is not really going to help visitors being attacked at other sites.

glad you brought this up.
It was mentioned in another thread here a little while ago and I went nuts.

The javascript security risk is a myth. you are right, there's no such thing.

Once again: it's a myth.

The other big myth among many internet users concerns cookies.
I've heard that cookies "slow down" the computer. And I've heard that cookies enable web sites to spy on users.
Ridiculous, of course.

Why does a myth like this perpetuate?
My take is this:

People fear what they don't understand. Learning to use this thing called the "internet" was, for most people, a daunting experience. Like moving into a new and unfamiliar neighborhood. For some reason, Javascript and cookies got labeled as "dark alleys" and it gave users a feeling of safety to avoid them.
With visions of big brother invading everybody's computer, users felt better doing something, anything to protect themselves even if it was based on unsubstantiated rumor. Kind of like double-locking the front door but leaving all the windows open. It's irrational, but double locking the front door makes you feel safer.

I don't think the problem is with JS. IMO the focus should be on making sure the scripts used on a site are written so they don't lend themselves to exploits. Also, anyone allowing outsiders to post html tags ought to make sure they have proper filtering is in place because a number of the tags can serve as a vehicle to execute malicious JS scripts.

"...I've heard that cookies enable web sites to spy on users. ... Ridiculous, of course. ..."

The web as it is now wouldn't work without cookies, but there are a bunch of privacy problems with them, and one of those problems is that they certainly do enable web sites to spy on users. Normal cookies only record detils of your browsing habits within the site (although this can include your buying habits, the site or search engine that you came from, etc). "Spyware cookies" are cookies which a syndicate of sites share, sothey get a fuller picture of your browsing and Internet buying habits. Not very dangerous, but an invasion of privacy none the less.

Javascript as it was designed doesn't have security holes. However, with any software there is a continual cycle of security vulnerabilities being discovered, and patches to fix them. Some of those security vulnerabilities have been javascript related in the past. Just to illustrate, msg # 1 in this thread says "Accessing data from windows on different domains" is not a security hole. That is true, but bear in mind the protection is implemented in the browser, so if a particular browser has a bug and doesn't implement that protection properly then the hole is there.

As korkus2000 said, suggesting to webmasters not to use Javascript is a bit misguided, as it is the websurfer surfing arbitrary sites who is vulnerable, not your site.

Good posts everyone. Thanks for answering. :)

I hadn't really considered script plus controls (ActiveX, XPCONNECT, &c), which can (depending on browser settings) be a dangerous combination, I agree. I also hadn't really considered earlier implementations of JS, such as one might find in NS3 or 4, or IE3, which may indeed be subject to some of the vulnerabilities that I mentioned.

I think the bottom line, for me at least, is that there is no reason (security-wise I mean, accessibility issues aside) not to use JS on your site. :)

Jordan